Re: [gentoo-user] [footnote] The purpose of pam
On Thursday 28 January 2010 00:04:46 Mick wrote: > On Wednesday 27 January 2010 11:01:52 Willie Wong wrote: > > On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote: > > > After thinking awhile I realized that pam can be used to > > > combine muliple forms of authentication to reduce the well > > > documented risk of single-factor authentication (like our > > > traditional password system). > > > > > > Example: if I have an ordinary password, plus an ssh key > > > stored on a USB stick, plus a biometric device like an > > > eye scanner or a fingerprint scanner, I can then use any > > > or all of those methods to identify myself to the system > > > by configuring pam in the appropriate way. > > > > Yes. > > > > First look at the PAM configuration section of this: > > > > http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_ > >vi a_pam_bioapi > > > > Now if instead of having > > > > auth sufficient pam_unix.so ... > > auth sufficient pam_bioapi.so ... > > > > which says that either password log-in OR fingerprint scanner is > > enough, you change the first line to "auth required ...", per the docs > > > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration > >-f ile.html > > > > you will then have a behaviour where BOTH password and fingerprint is > > involved. I think PAM is a Pretty Good Idea and its implementation is > > Very Cool, but I also think it is completely unnecessary on _my_ > > laptop. > > What would be the pam-way to only allow remote ssh logins using pubkeys and > completely forbid ssh paswd? I used to remove allow pam from sshd_config. > Is there a better pam-centric way of doing the same thing? That's pretty pointless. pam doesn't know how to do openssl voodoo magic. sshd does. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] [footnote] The purpose of pam
On Wed, Jan 27, 2010 at 23:04, Mick wrote: > What would be the pam-way to only allow remote ssh logins using pubkeys and > completely forbid ssh paswd? I used to remove allow pam from sshd_config. Is > there a better pam-centric way of doing the same thing? Put "PasswordAuthentication" to no in you sshd_config? Ward
Re: [gentoo-user] [footnote] The purpose of pam
On Wednesday 27 January 2010 11:01:52 Willie Wong wrote: > On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote: > > After thinking awhile I realized that pam can be used to > > combine muliple forms of authentication to reduce the well > > documented risk of single-factor authentication (like our > > traditional password system). > > > > Example: if I have an ordinary password, plus an ssh key > > stored on a USB stick, plus a biometric device like an > > eye scanner or a fingerprint scanner, I can then use any > > or all of those methods to identify myself to the system > > by configuring pam in the appropriate way. > > Yes. > > First look at the PAM configuration section of this: > > http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_vi > a_pam_bioapi > > Now if instead of having > > auth sufficient pam_unix.so ... > auth sufficient pam_bioapi.so ... > > which says that either password log-in OR fingerprint scanner is > enough, you change the first line to "auth required ...", per the docs > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-f > ile.html > > you will then have a behaviour where BOTH password and fingerprint is > involved. I think PAM is a Pretty Good Idea and its implementation is > Very Cool, but I also think it is completely unnecessary on _my_ > laptop. What would be the pam-way to only allow remote ssh logins using pubkeys and completely forbid ssh paswd? I used to remove allow pam from sshd_config. Is there a better pam-centric way of doing the same thing? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] [footnote] The purpose of pam
On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote: > After thinking awhile I realized that pam can be used to > combine muliple forms of authentication to reduce the well > documented risk of single-factor authentication (like our > traditional password system). > > Example: if I have an ordinary password, plus an ssh key > stored on a USB stick, plus a biometric device like an > eye scanner or a fingerprint scanner, I can then use any > or all of those methods to identify myself to the system > by configuring pam in the appropriate way. Yes. First look at the PAM configuration section of this: http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_via_pam_bioapi Now if instead of having auth sufficient pam_unix.so ... auth sufficient pam_bioapi.so ... which says that either password log-in OR fingerprint scanner is enough, you change the first line to "auth required ...", per the docs http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html you will then have a behaviour where BOTH password and fingerprint is involved. I think PAM is a Pretty Good Idea and its implementation is Very Cool, but I also think it is completely unnecessary on _my_ laptop. Cheers, W -- Willie W. Wong ww...@math.princeton.edu Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire et vice versa ~~~ I. Newton
Re: [gentoo-user] [footnote] The purpose of pam
On 27 Jan 2010, at 00:34, walt wrote: ... After thinking awhile I realized that pam can be used to combine muliple forms of authentication to reduce the well documented risk of single-factor authentication (like our traditional password system). ... Any sysadmins out there that can confirm my reasoning? I use pam_winbind at a site to enable users to logon to the Dovecot IMAP server using their Windows domain username & password. Once the underlying mechanism is setup it requires very little work to enable this - for ftp authentication (restricted to localhost only, but this allows Squirrelmail users to add a vacation message) I needed to touch, I am sure, nothing but the /etc/pam.d/ftp file. Dovecote requires only one or two extra lines in its config. With one additional line in /etc/pam.d/imaps a homedir is created for the user the first they log into the IMAP server (pam_mkhomedir.so). This list may not consider this such a cool use of PAM as using long encryption keys to authenticate themselves, but I have found PAM amazing when it all comes together so quickly. PAM seems quite powerful & flexible, although I too seem to recall having a frustrating experience when I encountered it, without understanding it, years ago. Stroller.
Re: [gentoo-user] [footnote] The purpose of pam
On Wednesday 27 January 2010 02:34:56 walt wrote: > After thinking awhile I realized that pam can be used to > combine muliple forms of authentication to reduce the well > documented risk of single-factor authentication (like our > traditional password system). > > Example: if I have an ordinary password, plus an ssh key > stored on a USB stick, plus a biometric device like an > eye scanner or a fingerprint scanner, I can then use any > or all of those methods to identify myself to the system > by configuring pam in the appropriate way. > > Any sysadmins out there that can confirm my reasoning? > This is not merely a nice thing you can use pam to do. It is the entirely reason for pam's existence and it was written to do nothing else. If all you need auth to do is validate a username/password you might as well stick with login pam is Pluggable Authentication Modules, meaning you use the modules you want to create the scheme you want. -- alan dot mckinnon at gmail dot com
[gentoo-user] [footnote] The purpose of pam
Not too long ago there was a question here about why pam is needed (or not) but I can't find that thread at the moment :-/ Anyway, I said that I put "auth sufficient pam_ssh.so" in my /etc/pam.d/system-auth file so that I can ssh between the machines on my home network using my ssh key for login authentication *instead* of a password. Well, Neil said that I don't need pam for that because sshd handles ssh logins automatically, whether by key or password. I deleted that line from system-auth and found that I could indeed ssh between machines using my ssh key, just as Neil said. However... Then I remembered that the *real* reason I added that line to system-auth is so that I can login directly (not via ssh) to my local machines using my ssh passphrase instead of an ordinary password. (This seems inherently more secure to me, but I could be wrong.) After thinking awhile I realized that pam can be used to combine muliple forms of authentication to reduce the well documented risk of single-factor authentication (like our traditional password system). Example: if I have an ordinary password, plus an ssh key stored on a USB stick, plus a biometric device like an eye scanner or a fingerprint scanner, I can then use any or all of those methods to identify myself to the system by configuring pam in the appropriate way. Any sysadmins out there that can confirm my reasoning?